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Summary.  Poovendran,  Corson  and  Baras  presented  a  distributed  cryptographic 
key  generation  algorithm  that  was  suitable  for  wireless  networking  environment. 
However,  the  security  as  well  as  the  computational  complexity  of  their  scheme  were 
never  analyzed.  In  this  work,  we  present  information  theoretic  analysis  of  their  work 
and  derive  the  properties  of  the  cryptographic  keys  that  are  generated  by  their 
scheme.  We  also  present  efficient  computational  schemes  that  would  require  only 
logarithmic  number  of  steps  in  group  size  to  compute  the  common  keys. 


1  Introduction 

Broadcast  is  the  inherent  mode  of  communication  in  wireless  networks  that 
deploy  omnidirectional  antennas.  In  broadcast  mode,  all  members  who  are 
within  the  communication  range  of  the  transmitting  node  can  receive  the 
message,  thus  making  it  resource-efficient  for  the  sender  as  well  as  the  net¬ 
work.  However,  in  many  applications  the  set  of  users  that  have  access  to  the 
communication  must  be  restricted.  The  use  of  cryptography  is  one  way  to 
restrict  the  set  of  members  who  can  access  the  communication.  When  the 
amount  of  data  is  high,  the  use  of  symmetric  keys  will  help  reduce  the  com¬ 
putational  overhead  due  to  the  encryption  and  decryption.  However,  the  use 
of  symmetric  keys  require  that  all  members  share  the  same  keys  for  decryp¬ 
tion.  Several  methods  have  been  proposed  to  generate  and  distribute  a  single 
common  key  to  all  the  members  of  a  communicating  group.  Among  these 
methods  is  the  distributed  key  generation  method  proposed  by  Poovendran, 
Corson  and  Baras  in  [PCB], which  we  call  the  PCB  scheme  in  this  paper.  The 
PCB  scheme  made  use  of  modulo  arithmetic  and  generalized  the  property  of 
one-time  pad,  proposed  by  Shannon  [CS].  However,  as  of  now  there  is  no  anal¬ 
ysis  on  the  security  properties  of  the  PCB  method.  In  this  work  we  enhance 
the  original  PCB  algorithm  and  present  the  security  analysis  based  on  infor- 
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mation  theoretic  techniques.  We  also  show  how  to  develop  a  computationally 
efficient  algorithm  for  computing  the  PCB  keys. 

The  organization  of  the  chapter  is  as  follows:  we  first  review  the  one-time 
pad  and  its  properties  using  probabilistic  as  well  as  information  theoretic 
approaches.  We  then  present  the  PCB  algorithm.  We  provide  detailed  analysis 
of  the  PCB  algorithm  using  probabilistic  as  well  as  information  theoretic 
techniques.  We  also  show  how  to  develop  computationally  efficient  techniques 
that  will  enable  efficient  calculation  of  the  group’s  shared  key. 


2  Properties  of  the  One-time  Pad  based  Encryption 

We  use  the  notations  in  [DS]  to  define  a  cryptosystem.  A  cryptographic  system 
is  a  pentuple  V,C,K,,£,'D,  where  the  following  conditions  are  satisfied: 

1.  V  \s  a,  finite  set  of  possible  messages  or  plaintexts. 

2.  C  is  a  finite  set  of  possible  encrypted  messages  or  ciphertexts. 

3.  K.  is  the  finite  set  of  keys  or  the  keyspace. 

4.  £jc  is  the  encryption  rule  for  a  given  key  K.  We  denote  Ek  :V^C. 

5.  V/c  is  the  decryption  rule  for  a  given  key  K.  We  denote  Dx  ■  C  ^  V. 

2.1  One-time  Pad  Cryptosystem 

Let  p  be  a  large  prime.  The  plaintext  and  the  encryption  key  are  of  the  same 
length  and  chosen  independently  and  are  assumed  to  be  picked  uniformly  in 
the  interval  [0,p—  1].  The  encryption  rule  is  the  modulo  addition  w.r.t.  p.  The 
one-time  pad  scheme  is  given  below: 

1.  PG 

2.  Cg 

3.  /Cg 

4.  £jc  is  a  rule  VA  G  V,  Ek{X)  =  X  +  K  mod  p. 

5.  Vic  is  a  rule  VF  G  C,  Dk{Y)  =Y  —  K  mod  p. 

If  it  can  be  shown  that  the  ciphertext  Y  is  independent  of  the  encryption 
key  or  plaintext  X,  then  observing  the  ciphertext  Y  reveals  no  information 
about  the  plaintext  X,  and  hence  the  mutual  information  ([CT])  is  I{X  A 
Y)  =  Ep^Y  [iog  PxPy^  ~  main  idea  behind  the  one-time  pad  based 

encryption  is  stated  in  the  following  theorem: 

Theorem  1.  Let  p  be  a  large  prime  number,  A,  B  be  two  random  variables 
that  are  mutually  independent  and  uniformly  distributed  over  the  interval 
[0,p  —  1].  Let  C  =  A  +  B  mod  p.  Then  the  random  variable  C  is  uniformly 
distributed  in  the  interval  [0,p  —  1],  and  the  random  variables  A,B,C  are 
mutually  independent. 

Proof::  We  compute  the  distribution  of  C  using 
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p-l 

P{C=k)=J2PiC^  =  k\a  =  i)P{A  =  i)  (1) 

i^O 

p-l 

=  J2PiA  +  B  =  k\A  =  i)P{A  =  i)  (2) 

i=0 

1 

=  -  '^P{B  =  k-i\A  =  i)  (3) 

^  i=0 

1 

=  -Y^P{B  =  k-i)  (4) 


Hence,  C  is  uniformly  distributed  over  the  range  [0,p  —  1].  We  now  show 
that  C  is  independent  of  A,B. 


P{C=k\A  =  i)  =  P(A  +  B  =  k\A  =  i)  (6) 

=  P{B  =  k-i\A  =  i)  (7) 

=  P(B  =  k-i)  (8) 

=  -  (9) 

P 

=  p{C=k).  (10) 


Hence,  C  is  not  only  uniformly  distributed  in  the  interval  [0,p  —  1],  but 
also  independent  of  A  (as  well  as  B). 

A  direct  consequence  of  these  derivations  is  the  fact  that  the  random  vari¬ 
able  C  is  uncorrelated  to  random  variable  A  or  B.  Hence,  observing  random 
variable  C  provides  no  information  ([CT])  about  random  variables  A  or  B. 
This  idea  can  be  expressed  in  terms  of  the  mutual  information  between  ran¬ 
dom  variables  C  and  A  as: 

I{C^A)  =  Ep,^[\og^^].  (11) 

Noting  that  Pag  =  PaPc,  since  A  is  independent  of  C,  we  find  that 
log  ~pfp^  =  log(l)  =  0.  Hence,  the  mutual  information  between  the  random 
variables  A  and  C  is  zero.  Substituting  A  =  X,  B  =  K,  and  C  =  F  in  the 
proof  above  shows  that  the  one-time  pad  encryption  leads  to  ciphertext  that 
is  uniformly  distributed  in  the  interval  [0,p—  1]  and  satisfies  /(FAX)  =  0  as 
well  as  /(F  A  AT)  =  0. 
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3  Review  of  the  PCB  Scheme 

The  PCB  scheme  presented  in  [PCB]  can  be  viewed  as  a  generalized  version  of 
one-time  pad  encryption.  The  PCB  scheme  consists  of  a  Trusted  Third  Party 
based  initialization  step  followed  by  distributed  key  generation  step.  We  first 
define  relevant  notations.  Let  Exi  (m)  denote  the  encryption  of  message  m 
with  key  K^,  and  A  B  :  m  to  denote  a  message  m  sent  from  entity  A  to 
entity  B.  The  PCB  scheme  is  described  below. 

3.1  Initialization 

In  the  initializaiton  step,  a  Trusted  Third  Party  (TTP)  selects  n  participants 
of  the  distributed  key  generation  scheme  labeled  It  is  assumed  that 

the  TTP  shares  a  pairwise  key  Ki  with  member  Mi  of  the  group.  The  TTP 
chooses  a  large  prime  p,  generates  n  uniformly  distributed  and  independent 
random  variables  denoted  with  i  =  1,  •  •  • ,  n.  The  TTP  computes 


n 


(12) 


The  TTP  initializes  each  entity  Mi  using  the  following  message  transfer 


TTP  Mi  :  Exiioifi,  9q). 


(13) 


3.2  Broadcast  Enhanced  Distributed  Key  Generation 

The  distributed  key  generation  consists  of  two  stages.  In  the  first  stage  each 
node  generates  its  contribution,  and  secures  and  transmits  it.  In  the  second 
stage,  each  node  collects  contributions  of  all  other  nodes  and  combines  them 
to  generate  the  group  key  and  its  future  onetime  pad.  The  original  PCB 
scheme  in  [PCB]  assumed  pairwise  links  between  nodes.  This  procedure  is 
computationally  intensive  and  can  be  avoided  in  wireless  broadcast  environ¬ 
ments.  We  also  note  that  in  the  original  PCB  scheme  there  was  no  mechanism 
to  make  the  participants  commit  to  the  shares  they  would  contribute  to  the 
group  key  generation.  Lack  of  comittment  makes  the  original  PCB  scheme 
vulnerable  to  attacks  by  participants  who  can  bias  the  final  outcome.  While 
we  do  not  elaborate  on  the  key  space  bias  in  this  work,  we  eliminate  it  using 
a  committment.  These  two  changes  are  reflected  in  steps  4  and  5  of  the  algo¬ 
rithm  presented  below.  At  the  iteration  step  j,  a  participant  Mi  performs  the 
following  operations  to  generate  its  share  of  the  distributed  key: 

1.  Mi  generates  a  Fractional  Key  FKij. 

2.  Mi  generates  a  Hidden  Fractional  Key  HFKi  j  =  FKij  +  aij-i. 

3.  Mi  generates  a  commitment  corriij  = 

4.  Mi  — >  *  :  corriij. 
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5.  M,  ^  :  Ee^_,{HFK,^j). 

A  participant  then  combines  the  shares  to  compute  the  group  key  and 
the  fresh  one-time  pad  for  its  computations.  A  participant  Mi  performs  the 
following  operations: 

1.  VZ  S  obtain  HFKij,  compute  and  verify  that  = 

comi  j.  If  true,  proceed  to  the  next  steps,  else,  terminate. 

2.  Compute  the  sum  of  all  the  Hidden  Fractional  Keys  'Yl'i=iHFKi  j  = 

+  ^1=1 

3.  Compute  the  new  group  key  as 

n  n 

6j  =  ^  {p-  ^  inod  p.  (14) 

4.  Compute  aij  =  Oj  +  {p  —  l)FKijmod  p. 

The  PCB  scheme  is  represented  in  a  schematic  diagram  given  below: 


a. 


®a. 


‘,j  j 

Hj - - 


iteration  / 


] 


S'  ^ 

^ij+i 

- > 

(0)  (1)  (2)  (3)  (4) 


Fig.  1.  Iteration  and  Mappings  of  the  Key  Generation  Algorithm 


4  Security  Analysis  of  the  PCB  Scheme 

As  noted  earlier,  the  PCB  paper  did  not  provide  analysis  of  the  scheme.  We 
provide  the  security  analysis  of  the  PCB  scheme  in  this  section.  We  make  the 
following  claims  about  the  security  of  the  PCB  scheme: 

Theorem  2.  If  random  variables  ai^  are  mutually  independent  and  uni¬ 
formly  distributed  in  the  interval  [0,p  —  1],  then  the  group  key  0O)  defined 
by: 
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n 

=  (15) 

i=l 

is  uniform  in  the  interval  [0,p  —  1]  and  is  mutually  independent  with  respect 
to  any  subset  consisting  of  (n  —  1)  of  the  random  variables  ai^o;  i  =  1,  •  •  • ,  n. 

Proof:  We  first  show  that  Oq  is  uniformly  distributed  and  then  show  that 
6*0  is  mutually  independent  of  any  set  of  (n-1)  ai^.  We  prove  that  6*o  is  uni¬ 
formly  distributed  using  induction.  Let  Ui  =  Ui-i  +  ai^  with  Uq  =  0.  Then 
Ui  =  Oi.o;  U2  =  Oi.o  +  0^2,0;  ■  ■  ■  Un  =  Oq.  We  now  show  that  67^;  f  =  0, 1,  •  •  •  n 
are  uniformly  distributed.  Note  that  for  i  =  1,  Ui  =  ai^  is  by  definition  of 
01,0  is  uniform  over  the  interval  [0,p  —  1].  For  i  =  2,  we  have 


P{U2  =  k) 


p-1 

=  P{U2  =  k\aifi  =  Si)P(ai,o  =  Si) 

si=0 


w 


(«) 


1 

-  P(ai  0  =  Si  +  02,0  =  ^|cki  0  = 

^  si=0 

1 

-  P(q!2.o  =  k  -  Si\ai  =  Si) 

^  si=0 
1 

-  P(a2,o  =  k-  si) 

^  si=0 

1 

P 


Si) 


(16) 

(17) 

(18) 

(19) 

(20) 


The  step  (i)  follows  from  the  definition  of  U2  and  the  step  (ii)  follows  from 
the  observation  that  under  modulo  arithmetic  as  the  summation  includes  all 
the  p  terms,  even  if  there  is  an  index  shift.  Hence,  U2  is  uniformly  distributed. 
Now  we  show  that  U2  is  independent  of  01,2- 


P{U2  =  fc|ai,o  =  si)  =  P{ai,o  =  si  -I-  02,0  =  k\aifi  =  Si)  (21) 

=  P(q!2,o  =  k  —  Si|ai,o  =  Si)  (22) 

^=^P(a2.o  =  fc-si)  (23) 

=  -  (24) 

P 

=  P{U2  =  k).  (25) 


The  step  (f)  follows  from  the  fact  that  02,0  is  independent  of  01,0-  Hence,  U2 
is  independent  of  Ui;  however  U2  =  02,0  +  cii,o  and  Ui  =  ai,o-  Since  ai,o 
and  02,0  are  mutually  independent,  interchanging  them  does  not  change  the 
result;  hence,  Y?=i  'a/,o  is  independent  of  ai,o  as  well  as  02,0- 

Having  illustrated  the  proof  for  two  variables,  lets  prove  the  result  for  the 
case  that  i  =  n,  when  9q  =  Un-  We  first  prove  that  Oq  is  uniformly  distributed 
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and  then  show  it  is  independent  of  any  subset  of  (n  —  1)  a' s.  For  simplicity, 
we  define  the  notation  that  {Y  =  y}  =  {oii.o  =  Siu  ' '  ’  i 


P(^0  =  k)  =  P{U, 

7  =  k) 

(26) 

p-i 

p-i 

=  E 

■■■  Y.  PiUn  =  k\Y  =  y)P{Y  =  y) 

si=0 

Sn-1—0 

p-1 

p—1  n—1 

-E 

•••  E  P{y  =  y)l[P(^ko  =  si) 

(27) 

si=0 

p-1 

p—1  p—1  n—1 

=  E 

•••  E  i  E  P{a.^,o  =  k-Y^^)}/P^~^ 

(28) 

si=0 

Sn  — 1—0  Sn— 1—0  i  —  1 

1 

(29) 

p 

Hence,  we  note  that  9q  : 

is  uniformly  distributed  in  the  interval  [0,p  — 

1].  We 

now  show  that  Oq  is  independent  of  any  subset  of  (n  —  1)  a's. 

O 

II 

II 

^ ^0  ^ii')  ‘  '  '  7  ^in-1,0 

(30) 

n 

=  ^’(E“h0  =  k\Y  =  y) 

i^l 

(31) 

n—1 

=  -  E  1^  =  y) 

i=i 

n—1 

=  P(ai„,o  =  -  E  ) 

i=i 

(32) 

1 

(33) 

P 

=  P{eo  =  k). 

(34) 

The  step  (i)  uses  the  mutual  independent  property  of  the  a's.  Note  that  the 
order  of  picking  the  a's  was  random.  Hence,  Oq  is  independent  of  any  arbitrary 
subset  consisting  (n—  1)  a's.  We  now  state  the  following  property  of  the  PCB 
scheme  as  a  theorem. 

Theorem  3.  If  random  variables  FKij  are  mutually  independent  and 
uniformly  distributed  in  the  interval  [0,p  —  1],  Oj+i,  defined  by 

n 

(35) 

i=l 

is  uniform  in  the  interval  [0,p  —  1]  and  is  mutually  independent  with  respect 
to  any  subset  consisting  of  (n—  1)  of  the  random  variables  FKifi,  j  =  1,  •  •  • ,  n. 
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Proof:  Follows  the  similar  inductive  argument  as  above  with  ai^  replaced 
with  FKi  j  and  9q  replaced  with  9j. 

The  above  theorems  show  that  observing  any  (n  —  1)  fractional  keys  does 
not  reveal  any  information  about  the  group  key.  Hence,  an  adversary  needs 
to  know  all  n  fractional  keys  to  compute  the  group  key  9  at  any  iteration.  In 
terms  of  the  mutual  information,  we  can  write 

I{9j  A  •  •  • ,  =  0,  (36) 

where  the  subset  of  (n  —  1)  fractional  keys  are  chosen  arbitrarily. 

Theorem  4.  The  intermediate  pads  aij,  computed  using  the  formula 

Qfij  =  9j  +  {p—  l)FKijmod  p  (37) 

satisfy  the  property  /(oij-  A  FKij)  =  0,  *  S  {1,  2,  •  •  •  ,n}. 

Proof: 

/(a,,j  A  FK,^j)  =  H{FK,^j)  -  H{FK,^j\a,,,)  (38) 

H{FK,^j)  -  H{FK,^j)  (39) 

=  0.  (40) 

The  step  (i)  follows  from  the  fact  that  all  FK-  jS  are  mutually  independent, 

and  hence  FKij  is  independent  of  the  sum  of  aij  = 

Theorem  5.  If  the  initial  parameters  a^  gS  as  well  as  the  Fractional  Keys 
FKFs  at  every  computational  round  j  are  mutually  independent  and  are 
uniformly  distributed  in  the  interval  [0,p  —  1],  then  V_)  then  the  0's  are 
uncorrelated. 

Proof:  We  first  show  that  I{9j  A  9m)  =  0  for  any  arbitrary  j,  m. 


I{9j  A  9m)  =  H{9,)  -  H{9, \9m)  (41) 

n  n  n 

=  (42) 

i^l  i=^l 

n  n 

FK^,,)  -  HiJ2  FK^,,)  (43) 

i=l  i=l 

=  0.  (44) 

The  step  (i)  follows  from  the  fact  that  given  random  variables  FKij,  •  •  • ,  FKnj 
as  well  as  FKi_m,‘ ' '  ,FKn^m  that  are  mutually  independent,  any  function 
f{FKij,  •  •  • ,  FKnj)  of  random  variables  FKij,  ■  ■  ■  FKnj  is  independent  of 
any  function  g{FKi  m,  ■  ■  ■ ,  FK^^m)  of  random  variables.  For  clarity,  we  use 

the  following  notations:  {Z}  =  FKi^^^,-  ■  ■  J27=i  FK^^i^}. 

In  order  to  prove  the  general  case  considering  the  mutual  information 
between  a  given  9j  and  a  set  S'  =  {9i^,9i2,-  ■  ■  ,0i„}  where  9j  S  S.  We  claim 
that 
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=  (45) 

Proof:  The  proof  is  similar  to  the  case  above  but  will  be  presented  for 
completeness. 


I{0j  A9i^,  -  . 

.e,j  = 

(46) 

71  71 

=  H{Y,FK,^,)-H{Y,FK,^,\Z) 

(47) 

n  n 

i—\  2=1 

(48) 

=  0. 

(49) 

Again,  the  step  (i)  follows  from  the  fact  that  given  random  variables 
FKij,  -  ■  ■  FKnj  as  well  as  S'  =  {FKi^i^,  -  ■  ■  ,FKn,ih}'h^i  that  are  mu¬ 
tually  independent,  any  function  f{FKi  j,-  ■  ■  ,FKnj)  of  random  variables 
FKij,  -  ■  ■  ,FKnj  is  independent  of  any  function  g{FKi^i^,  -  ■  ■  ,FKn,i^)  of 
random  variables. 


5  Extensions  and  Complexity 

Not  all  wireless  can  be  represented  by  a  pure  broadcast  model.  Many  networks 
use  multi-hop  communications  as  well  as  directional  antennas.  The  impact  of 
directional  antennas  and  multi-hop  communications  changes  the  communica¬ 
tion  complexity  of  distributed  key  generation  for  some  algorithms  more  than 
others. 

In  this  section  we  describe  alternative  PCB  algorithms  better  tailored  for 
some  non-broadcast  wireless  networks.  These  alternative  algorithms  are  moti¬ 
vated  by  point-to-point  communications  in  wireless  network.  A  point-to-point 
model  corresponds  to  scenarios  such  as  a  group  of  widely  distributed  members 
communicating  using  cell  phones,  or  a  localized  group  communicating  using 
pencil  beam  directional  antennas. 

We  explore  three  alternative  algorithms  for  distributed  key  generation 
based  on  hypercube,  octopus,  and  tree  structures.  We  then  analyze  the  com¬ 
munication  complexity  of  the  original  PCB  algorithm,  broadcast-enhanced 
PCB  and  the  alternative  algorithms.  Our  analysis  has  shown  that  for  the 
point-to-point  network,  these  alternative  algorithms  have  lower  communica¬ 
tion  complexity  than  either  the  original  or  broadcast-enhanced  versions  of  the 
PCB  algorithm.  The  broadcast-enhanced  PCB  algorithm  has  lower  complex¬ 
ity  than  any  other  algorithm  in  a  pure  broadcast  network  while  the  original 
PCB  algorithm  has  the  highest  complexity. 

Each  of  the  alternative  algorithms  uses  the  same  initialization  phase  as 
the  original  and  broadcast  PCB  algorithms. 
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5.1  Hypercube 

For  simplicity  we  assume  that  the  group  has  size  n  =  2’’.  Each  group  member 
has  an  identifier  i  in  the  range  0,...,n  —  1.  In  a  hypercube,  two  nodes  are 
connected  if  their  identifiers,  represented  as  binary  strings,  differ  in  precisely 
one  position.  In  the  hypercube  algorithm,  during  phase  fc  =  0, . . . ,  r  —  1,  each 
group  member  communicates  with  the  group  member  whose  identifier  differs 
only  in  the  position.  After  all  r  phases,  each  node  will  have  sent  and 
received  a  message  from  those  group  members  with  which  it  shares  an  edge 
of  the  hypercube.  See  Fig.  2. 

Hypercube  Algorithm  —  At  the  iteration  step  j,  a  participant  Mi  performs 
the  following  operations  to  generate  its  share  of  the  distributed  key: 

1.  Mi  generates  a  Fractional  Key  FKij. 

2.  Mi  generates  a  Hidden  Fractional  Key  HFKij  =  FKij  +  aij-i. 

3.  For  the  first  set  of  exchanges  in  step  j,  which  we  call  phase  fc  =  0, 

Mi  >  ^(i=bin(i)®bin{2>‘=°))  ’  -  Q  =  HFKij) 

where  bin{t)  is  the  r-bit  binary  representation  of  t  and  (S’  is  the  exclusive-or 
operation.  Member  Mi  then  computes  TKi  j  i  =  KKij  Q  +  HFKi j. 

For  phases  /c  =  1, . . . ,  r  —  1,  of  step  j. 

Mi  >  -^(i=bin(i)06m(2'==O))  ■  =  TKij^^-l) 

Member  Mi  then  computes  TKi  j  /,  =  KKi  j  k_i  +  TKi  j  k_i. 

Phase  2  of  the  hypercube  algorithm  is  shown  in  Fig.  2. 

Once  the  r  phases  of  the  exchange  are  complete,  a  participant  Mi  has  its 
combined  shares,  HFKij  =  TKij^r-i-  Mi  then  computes  the  group  key 
and  the  fresh  one-time  pad  for  its  computations.  Mi  performs  the  following 
operations: 

1.  Compute  the  new  group  key  as 

n  n 

6j  =  ^  ^  FKi^j  mod  p. 

2.  Compute  aij  =  Oj  +  {p  —  l)FKij  mod  p. 

5.2  Octopus-d 

The  hypercube  algorithm  provides  substantially  lower  communication  com¬ 
plexity  than  either  the  original  PCB  or  the  broadcast-enhanced  PCB  al¬ 
gorithms.  Further  improvement  can  be  achieved  by  using  an  octopus  net¬ 
work  [BW].  An  octopus  consists  of  a  d-dimension  hypercube  connecting  a  core 
subset  of  the  group  with  each  core  member  directly  connected  to  a  (2’"  — 2'^)/2'^ 
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Node  8  Node  9 


Fig.  2.  The  Hypercube  Key  Generation  Algorithm  with  Point-to-Point  Communi¬ 
cations 

size  subset  of  the  non-core  group  members.  In  Fig.  3  a  d-dimension  hypercube 
{d  =  2)  is  used  interconnect  2'^  core  group  members  of  a  group  of  size  2’'  =  16. 
Note  that  if  d  =  0  the  octopus  network  collapses  into  a  star  network  with  a 
single  group  member  connected  to  the  other  2'’  —  1  members. 

In  the  octopus-d  algorithm  each  iteration  has  three  passes.  During  the  first 
pass  each  non-core  group  member  transmits  its  key  share  to  its  corresponding 
core  node.  In  the  second  pass  the  core  members  perform  the  exchanges  of  the 
hypercube  algorithm.  During  the  third  pass  each  core  node  passes  the  sum  of 
the  HFKij  to  its  corresponding  non-core  nodes.  See  Fig.  3. 

Octopus-d  Algorithm  —  In  the  algorithm  each  core  node  is  numbered  ac¬ 
cording  to  the  hypercube  algorithm.  Each  non-code  node  is  numbered  by 
multiplying  the  identifier  of  its  corresponding  core  node  by  the  number  of 
core  nodes,  2‘^,  and  adding  an  index  value  which  runs  from  1  to  2^^  —  1. 

At  the  iteration  step  j,  a  participant  Mi  performs  the  following  operations 
to  generate  its  share  of  the  distributed  key: 

1.  Mi  generates  a  Fractional  Key  FKij. 

2.  Mi  generates  a  Hidden  Fractional  Key  HFKi  j  =  FKi,j  +  ctij-i- 

3.  Exchanges 

Pass  One  —  If  2^  <  f  <  2’’  -  1, 

Mi  - >  Mcore(i)  '■  Eg._^{HFKij) 

where  core(i)  is  the  core  group  member  of  i.  Pass  one  communications 

are  shown  in  Fig.  3.  At  the  end  of  pass  one  each  core  node  computes  the 
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sum  of  its  HFKi  j  and  those  of  its  dependent  non-core  group  members. 
Core  member  i  computes 


i-2'^+2‘^-1 

KK,^j^o  =  HFK,^j+  HFKi^j. 

l^i-2'^  +  l 

Pass  Two  —  Use  a  modified  version  of  the  exchanges  of  the  hypercube 
algorithm  on  the  core  group  members  of  the  octopus.  In  the  octopus  the 
values  KKi^j^Q  are  distributed  in  the  first  set  of  exchanges,  instead  of 
HFKij  used  by  the  standard  hypercube  algorithm. 

Pass  Three  —  If  member  *  is  a  core  member,  then  depending  on  the 
communication  model  Mi  broadcasts: 

Ml  — >  *  :  Eg._i{TKi^j^d-i) 

or  Mi  uses  point-to-point  messages  to  exchange  Eg-_i{TKij^d-i) 

^  ^ {dependent k{i))  •  Eg^ _i{E Kij^d—l) 

where  dependentk{i)  is  the  dependent  of  member  i.  This  phase  is 
shown  in  Fig.  3. 

Once  the  exchanges  of  this  iteration  are  complete,  a  participant  Mi  has  its 
combined  shares,  HEKij  —  TKij^r-i  -  Mi  then  computes  the  group  key 
and  the  fresh  one-time  pad  for  its  computations.  Mi  performs  the  following 
operations: 

1.  Compute  the  new  group  key  as 

n  n 

6j  =  ^  HFKi^j  +  (p  -  ^  ^^1,3  P- 

Z=1  1^1 


2.  Compute  aij  =  Oj  +  {p  —  l)FKij  mod  p. 

5.3  Binary  Tree 

For  simplicity  we  assume  that  the  group  has  n  =  2’’  —  1  group  members. 
Each  group  member  has  an  identifier  i  in  the  range  0, . . . ,  n  —  1  and  is  a  node 
(interior  node  or  leaf  node)  of  a  binary  tree.  The  group  members  are  numbered 
in  order  of  a  preorder  tree  traversal.  Group  member  0  is  the  root  of  the  tree, 
group  member  1  is  the  left  sibling  of  the  root,  member  2  is  the  right  sibling 
of  the  root,  and  so  on. 

Binary  Tree  Algorithm  —  In  the  tree  algorithm  each  iteration  has  two 
passes.  During  the  first  pass  each  node  of  the  tree  (working  from  the  leaf 
nodes  up  toward  the  root)  communicates  the  sum  of  the  Hidden  Fraction  Key 
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Fig.  3.  The  Octopus-d  Key  Generation  Algorithm  with  Point-to-Point  Communi¬ 
cations,  (r  =  4,  d  =  2) 
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of  all  of  the  node’s  decedents  to  its  parent.  During  the  second  pass  the  sum 
of  the  Hidden  Fractional  Keys  for  the  group  is  distributed  by  the  root.  In  the 
point-to-point  model  each  node  of  the  tree  communicates  with  its  children, 
working  from  the  root  down  toward  the  leaf  nodes.  In  the  broadcast  model 
the  root  distributes  the  sum  directly  to  each  member  using  a  single  broadcast. 
See  Fig.  4. 

At  the  iteration  step  j,  a  participant  performs  the  following  operations 
to  generate  its  share  of  the  distributed  key: 

1.  Mi  generates  a  Fractional  Key  FKij. 

2.  Mi  generates  a  Hidden  Fractional  Key  HFKij  =  FKij  +  aij-i. 

3.  Exchanges 

Pass  One  —  Pass  one  propagates  Hidden  Fractional  Keys  to  the  root  of 
the  tree.  If  Mi  is  a  leaf  node,  i.e.,  Mj  is  represented  by  a  level  0  node  then 

i  — i  parent{i)  :  E0._^{F[FKij) 

where  parent{i)  the  group  member  who  is  represented  by  the  parent  node 
of  node  i.  Group  member  Mparent{i)  then  computes  KKparent(i),j,i  = 
“k  H  F  K sibling{i)^j  F  H  F  j  . 

If  Mi  is  represented  by  an  level  k  interior  node,  it  must  wait  until  it  can 

compute  K Ki  j  i^  ^ ^left^decendent{ 

F[FKpg^rent(i),j-  If  Fii  is  not  represented  by  the  root  of  the  tree  then  it 
sends  KKij^k  to  its  parent,  i.e., 

i  — >  parent{i)  : 


Group  member  Mparent(i)  then  computes  KKparentii),j,k+i  =  KKij^k  + 
KKsMing{i),j,k  F  HFKparentii),j-  Pass  One  is  shown  in  Fig.  4. 

Pass  Two  —  In  the  broadcast  communication  model  the  root  of  the  tree 
broadcasts: 


Mq  - !■  *  :  Eg-_^{KKoj^r-l) 

In  the  point  to  point  model  the  root  can  distribute  KKoj^r-i  to  the  group 
using  the  tree.  Each  non-leaf,  non-root  node  Mi  receives  KKq  j  ,.-i  from 
its  parent  and  then  distributes  to  its  decedents  by 

i  — >  left-child{i)  :  Eg^_^{KKij^r-i) 

i - >  right_child{i)  :  Eg^_-^{KKij^r-i) 

Once  the  exchanges  of  this  iteration  are  complete,  a  participant  Mi  has  its 
combined  shares,  HFKi  j  =  KKi  j  r-i  -  Mi  then  computes  the  group  key 
and  the  fresh  one-time  pad  for  its  computations.  Mi  performs  the  following 
operations: 
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1.  Compute  the  new  group  key  as 

n  n 

Oj  =  ^  ^  FKij  mod  p. 

2.  Compute  aij  =  Oj  +  {p  —  l)FKij  mod  p. 


Pass  One 


Pass  Two 


Fig.  4.  The  Tree  Key  Generation  Algorithm  with  Point-to-Point  Communications 


5.4  Comparison 

The  following  tables  compare  the  communication  complexity  of  the  algorithms 
in  the  pure  broadcast  and  pure  point-to-point  models.  For  each  combination 
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of  algorithm  and  model,  we  give  the  average  number  of  messages  (ignoring 
commitments)  that  each  group  member  sends  and  receives  as  well  as  the 
maximum  number  of  messages  sent  and  received  by  a  group  member. 


Algorithm 

Group 

Size 

Ave.  Trans, 
per  Member 

Ave.  Reev. 
per  Member 

Max. 

Trans. 

Max. 

Reev. 

Orginal  PCB 

2" 

2"  -  1 

(2"-l)" 

2"  -  1 

(2’"  -  1)" 

Beast.  PCB 

2" 

1 

2’'  -  1 

1 

2’'  -  1 

Hypercube 

2" 

r 

r  .  (2’-  -  1) 

r 

r  .  (2’-  -  1) 

Octopus-d 

2’' 

1  _i _ ^ 

'  2'^  —  d 

2-  +  d-2'^  -1-  ^ 

d+l 

2“^  •  d  +  2''  -  1 

Tree 

2"  -  1 

1 

2’'  -2 

1 

2"  -2 

Table  1.  Key  Generation  Communication  Costs  —  Broadcast 


Algorithm 

Group 

Size 

Ave.  Trans, 
per  Member 

Ave.  Reev. 
per  Member 

Max. 

Trans. 

Max. 

Reev. 

Orginal  PCB 

2’" 

2"  -  1 

2"  -  1 

2"  -  1 

2"  -  1 

Beast.  PCB 

2’" 

2"  -  1 

2’"  -  1 

2"  -  1 

2"  -  1 

Hypercube 

2'' 

r 

r 

r 

r 

Octopus-d 

2’" 

n  j  d—2 

^  -r  27— d 

Q  _i_  d — 2 

^  -h 

2’-‘^  +  d-l 

2’"-'*  +  d-l 

Tree 

2’"  -  1 

2  -1-  ^ 

^  ^  2^-1 

2  -1-  ^ 

^  ^  2^-1 

3 

3 

Table  2.  Key  Generation  Communication  Costs  —  Point-to-Point 
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